[VPN] VPN using Netscreen 5xp

Lisa Phifer lisa at corecom.com
Thu Oct 10 10:04:05 EDT 2002 

At 12:15 PM 10/8/2002 -0700, <Travis.Watson at Honeywell.com> wrote:
>If the other device has a dynamic IP, you may well have to pony up the 
>cash to get a routable static or make periodic edits.  Certs are the only 
>other way to make it work for certain


No, a remote peer can have a dynamic IP and use preshared secrets if
you identify that peer by FQDN or User-FQDN and use Agressive Mode.

When using a pair of NS5XPs:

1) On the NS with the static IP, use the Gateway screen to configure
the dynamic peer. Check "Dynamic IP Address", put the hostname of the
dynamic peer in the "Peer ID" field, and check "Aggressive Mode".

2) On the NS with the dynamic IP, use the Gateway screen to configure
the static peer.  Check "Static IP Address" and "Aggressive Mode".
Under "Local ID", enter the local hostname of the dynamic device.

When using an NS5XP (static) and a VPN client (dynamic):

1) On the NS with the static IP, use the Gateway screen to configure
a "Dialup User". Pick a User Group or specific User from the pulldown.
Check "Aggressive Mode."  From the Users screen, create an entry for
each VPN client: under "IKE Identity", enter the email address that
the dynamically-addressed client will use to identify itself.

2) On the VPN client with the dynamic IP, under "Remote Party Identity
and Addresses", check "Connect Using", select IP Address, and enter
the IP address of the static peer.  Under "Security Policy", check
Aggressive Mode. Under "My Identity", enter the client's email address.

Both configs use preshared secrets for authentication. (Note: these are
NOT manual keys.)  You ~can~ use certificates instead of preshared
secrets in either config for stronger authentication, but you certainly
do not have to.  In either case, IKE can only be initiated by the side
with the dynamic IP, and the static peer can only be the responder.

Regards,
Lisa




=========================================================
Lisa A. Phifer                           lisa at corecom.com
Core Competence                    http://www.corecom.com
=========================================================

More information about the VPN mailing list